fix: sync tenant DB password from env during init

Root cause: gt2_tenant_user was created with hardcoded password in init script, but tenant-backend connects with password from .env. Solution: Add 00c-sync-passwords.sh that runs immediately after role creation to sync passwords from environment variables. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-12 19:52:32 -05:00
parent cb50d99f90
commit 773cb23d97
2 changed files with 35 additions and 0 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -229,6 +229,7 @@ services:
      - ./scripts/postgresql/unified/00-create-tenant-database.sql:/docker-entrypoint-initdb.d/00-create-database.sql
      - ./scripts/postgresql/tenant-extensions.sql:/docker-entrypoint-initdb.d/00a-init-extensions.sql
      - ./scripts/postgresql/unified/01-create-tenant-roles.sql:/docker-entrypoint-initdb.d/00b-create-roles.sql
+      - ./scripts/postgresql/unified/00c-sync-passwords.sh:/docker-entrypoint-initdb.d/00c-sync-passwords.sh
      - ./scripts/postgresql/unified/04-init-tenant-schema-complete.sql:/docker-entrypoint-initdb.d/01-init-tenant-schema.sql
      - ./scripts/postgresql/unified/05-create-tenant-test-data.sql:/docker-entrypoint-initdb.d/04-create-test-data.sql
      - ./scripts/postgresql/setup-tenant-tablespaces.sql:/docker-entrypoint-initdb.d/02-setup-tablespaces.sql
--- a/scripts/postgresql/unified/00c-sync-passwords.sh
+++ b/scripts/postgresql/unified/00c-sync-passwords.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# GT 2.0 Password Synchronization Script
+# Runs AFTER role creation to sync passwords from environment variables
+# This ensures passwords match what's in .env, not the hardcoded defaults
+
+set -e
+
+echo "🔐 GT 2.0 Password Sync - Updating passwords from environment..."
+
+# Wait for PostgreSQL to be ready
+until pg_isready -U postgres -d gt2_tenants; do
+    echo "Waiting for PostgreSQL to be ready..."
+    sleep 1
+done
+
+# Update gt2_tenant_user password from environment
+if [ -n "$TENANT_USER_PASSWORD" ]; then
+    psql -U postgres -d gt2_tenants -c "ALTER USER gt2_tenant_user WITH PASSWORD '$TENANT_USER_PASSWORD';" && \
+        echo "✅ Synced gt2_tenant_user password from environment" || \
+        echo "❌ Failed to sync gt2_tenant_user password"
+else
+    echo "⚠️  TENANT_USER_PASSWORD not set - using default password"
+fi
+
+# Update replicator password from environment
+if [ -n "$POSTGRES_REPLICATION_PASSWORD" ]; then
+    psql -U postgres -d gt2_tenants -c "ALTER USER replicator WITH PASSWORD '$POSTGRES_REPLICATION_PASSWORD';" && \
+        echo "✅ Synced replicator password from environment" || \
+        echo "❌ Failed to sync replicator password"
+else
+    echo "⚠️  POSTGRES_REPLICATION_PASSWORD not set - using default password"
+fi
+
+echo "🔐 Password synchronization complete"